CVE-2026-24124

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24124

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24124.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24124

Aliases

Published

2026-01-22T22:20:20.820Z

Modified

2026-03-13T04:09:47.698241Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Dragonfly Manager Job API Allows Unauthenticated Access

Details

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24124.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306"
    ]
}

References

Affected packages

Git / github.com/dragonflyoss/dragonfly

Affected ranges

Type: GIT
Repo: https://github.com/dragonflyoss/dragonfly
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24124.json"

Git / github.com/dragonflyoss/dragonfly2

Affected ranges

Type

GIT

Repo

https://github.com/dragonflyoss/dragonfly2

Events

Introduced

Fixed

e2cae46730cb1146109c22f0d7aa1c990bcc45f7

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.4.1"
        }
    ]
}

Affected versions

v1.*

v1.4.9-2

v2.*

v2.1.0

v2.1.0-beta.1

v2.1.0-beta.2

v2.1.0-beta.3

v2.1.0-beta.4

v2.1.0-rc.0

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.15

v2.1.16

v2.1.17

v2.1.18

v2.1.19

v2.1.2

v2.1.20

v2.1.21

v2.1.22

v2.1.23

v2.1.24

v2.1.25

v2.1.26

v2.1.27

v2.1.28

v2.1.29

v2.1.3

v2.1.30

v2.1.31

v2.1.32

v2.1.33

v2.1.34

v2.1.35

v2.1.36

v2.1.37

v2.1.38

v2.1.39

v2.1.4

v2.1.40

v2.1.41

v2.1.42

v2.1.43

v2.1.44

v2.1.45

v2.1.46

v2.1.47

v2.1.48

v2.1.49

v2.1.5

v2.1.50

v2.1.51

v2.1.52

v2.1.53

v2.1.54

v2.1.55

v2.1.56

v2.1.57

v2.1.58

v2.1.59

v2.1.6

v2.1.60

v2.1.61

v2.1.62

v2.1.63

v2.1.64

v2.1.65

v2.1.66

v2.1.67

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.1-rc.0

v2.2.1-rc.1

v2.2.1-rc.3

v2.2.2

v2.2.2-rc.0

v2.2.3-rc.2

v2.3.0

v2.3.1

v2.3.1-beta.0

v2.3.1-rc.0

v2.3.1-rc.2

v2.3.1-rc.4

v2.3.2

v2.3.3

v2.3.3-rc.0

v2.3.3-rc.1

v2.3.4

v2.3.4-beta.0

v2.3.4-beta.1

v2.3.4-rc.0

v2.3.4-rc.1

v2.3.4-rc.2

v2.3.5-beta.0

v2.3.5-beta.1

v2.3.5-rc.0

v2.3.5-rc.1

v2.3.5-rc.2

v2.3.5-rc.3

v2.4.0

v2.4.1-beta.0

v2.4.1-beta.1

v2.4.1-rc.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24124.json"